99%
of organisations encountered API security issues in the past 12 months
APIs are the primary route for data exfiltration — and they often look exactly like normal application traffic when they are being abused.
Salt Labs Q1 2025
Protect every API your business runs on.
Most API attacks look like normal traffic. Cyron sees the difference. Deploy in 10 minutes, no code changes required.
Free plan available · Live in under 10 minutes · EU data sovereignty
- 2ms Avg detection time
- 7 Threat intel feeds
- 14d Full-platform trial
Protecting APIs across industries
Financial Services Healthcare SaaS Platforms E-Commerce Critical Infrastructure
APIs are now your biggest attack surface. Most defences were not designed for them.
WAFs and CDNs operate at the network layer. They cannot read payload intent, detect business-logic abuse, or understand API-specific behaviour. A different layer of traffic demands a different layer of protection.
241d
mean time to identify and contain a breach
Most organisations do not discover a compromise until eight months later — by then, the damage is done. Cyron detects threats in under 2ms.
IBM Cost of a Data Breach 2025
$70K
average annual contract for enterprise API security platforms
Legacy enterprise API security platforms are priced for Fortune 500 budgets. Cyron delivers comparable kernel-level runtime protection from $15 per month.
Vendr.com B2B pricing data, average enterprise contract value.
Cyron detects what rule-based tools cannot see.
Below: a real attack pattern Cyron blocks daily — checkout-coupon enumeration. Where a WAF sees normal HTTPS, Cyron's System 2 Thinking layer reasons about what the request is actually doing — analysing a kernel-level mirrored copy out-of-band, never sitting in the live request path.
- APIs monitored: 142 · ↑ 3 added today
- Threats blocked: 7 · last 24 hrs
- Avg block time: 1.8ms · ↓ 0.2ms faster
HTTP Watch on YouTube
Cyron detects an authenticated attacker enumerating order IDs across user accounts; iris then blocks the offending source at the kernel — without slowing legitimate traffic.
Kernel-level protection. Zero configuration drift.
-
Deploy the iris agent
Drop one Docker container onto your host. The iris eBPF agent attaches at the kernel layer. No library imports. No SDK changes. No restart required.
$ docker run -d --privileged cyron/iris-agent -
Mirror, never intercept
iris mirrors HTTP/REST, WebSocket, and gRPC traffic to the Cyron analysis engine in real time. Live API traffic continues without any added latency — Cyron analyses a kernel-level copy out-of-band. Behavioural baselines build automatically over 24 hours.
Mirroring: HTTP · WebSocket · gRPC Baseline: 1,240 endpoints · 0ms added latency -
Block threats at the kernel
When Cyron detects an attack from the mirrored stream, iris blocks subsequent requests from the offending source at the kernel layer. Legitimate traffic continues uninterrupted. Mean detect-to-action: 1.8ms.
DETECTED: API8 payload anomaly Source blocked at kernel · 1.8ms ✓
Built for the teams building with APIs every day.
Growing SaaS teams
Your APIs handle real customer data. You do not have a dedicated security team. Cyron gives you kernel-level API protection from $15 per month — no security expertise required.
Free plan available indefinitely with no credit card. 14-day trial unlocks the full platform when you are ready to commit.
No security hire needed
Regulated industries
Financial services, healthcare, and property platforms carry real compliance obligations. Cyron is designed to support GDPR, NIS2, PCI-DSS, and HIPAA — with an audit trail from day one.
Every threat event is logged, timestamped, and exportable for your insurer or auditor.
Insurance-ready logs
High-volume API platforms
Marketplace platforms, payment processors, and multi-service architectures need protection that scales without degrading performance. Because iris mirrors traffic at the kernel layer rather than sitting inline, Cyron adds zero latency to your live API path at any volume.
Higher-throughput tiers cover larger API estates with priority support.
No performance overhead
MSPs and managed security providers
Every Cyron incident comes with a forensic explanation you can defend — to your client, your insurer, and a court. No black-box decisions. Multi-tenant dashboard. Audit trails on every block.
White-label dashboard available on the Talk-to-us tier and OnPremise.
Explainable security
Every attack surface. One platform.
The OWASP API Security Top 10 categorises the most consequential API attacks. Cyron detects and blocks all of them — not with rules, but with behavioural intelligence trained on live API traffic patterns.
Business logic fraud
Checkout enumeration, coupon abuse, inventory manipulation, price tampering — attacks that exploit your business logic, not your code vulnerabilities.
- API4:2023
- API6:2023
Data theft and exfiltration
Object property exposure, mass assignment, and broken object-level authorisation that leak data through endpoints reachable from outside your app.
- API1:2023
- API3:2023
- API6:2023
Account takeover
Credential stuffing, broken authentication, and JWT attacks that compromise user sessions and escalate attacker privileges inside your platform.
- API2:2023
- API5:2023
Compliance exposure
Shadow APIs, unauthenticated endpoints, and PII leakage routes that create regulatory liability you do not know exists until an auditor finds them.
- API9:2023
Infrastructure disruption
Server-side request forgery and unrestricted resource consumption that pivot from your API into your internal network or starve your service.
- API7:2023
- API4:2023
Protecting your APIs in under 10 minutes.
No library installs. No SDK changes. No application restarts. Cyron's iris eBPF agent runs alongside your existing stack — your developers never need to touch their code.
-
Pull the iris container — one command
-
Agent auto-discovers all active API endpoints
-
Behavioural baseline builds in 24 hours, silently
-
Live protection on — threats blocked at the kernel
$ docker run -d --privileged cyron/iris-agent
Pulling iris agent... done ✓
Attaching eBPF probe to kernel...
Discovering endpoints...
Found 142 active endpoints across 6 services
Building baseline model...
Continues silently in background (24h)
✓ Cyron iris agent active
Protection enabled in 8m 42sTry it free. Pay when you are ready.
Start free indefinitely with no credit card, or unlock the full platform for 14 days with the trial. All plans include the iris eBPF agent, kernel-level traffic mirroring, multi-protocol coverage, and EU data sovereignty.
Start with a 14-day full-platform trial · Every Cyron capability unlocked. No setup fee. Cancel before day 14 and you pay nothing.
Start 14-day trialFree
See what Cyron detects.
$0 /mo
$0 /mo, billed annually
- Threat detection across HTTP, WebSocket and gRPC
- Threat intelligence enrichment from 7 curated feeds
- Sensitive data exposure scanning
- 5 requests per minute, indefinite
Lite
Threat visibility and kernel-level blocking for small teams.
$15 /mo
$12 /mo, billed annually
- Everything in Free, plus:
- Kernel-level blocking with the iris eBPF agent
- SIEM webhook integration for real-time alerts
- Automated endpoint discovery
- Incident dashboard
Essential
For teams whose APIs handle sensitive data or financial transactions.
$25 /mo
$21 /mo, billed annually
- Everything in Lite, plus:
- Behavioural intelligence that learns your traffic patterns
- Credential stuffing and account enumeration detection
- Business-logic abuse identification
- Endpoint exemption management
Standard
For production environments needing explainable threat assessments.
$65 /mo
$55 /mo, billed annually
- Everything in Essential, plus:
- AI-powered reasoning for ambiguous threats (System 2 Thinking)
- Forensic threat reports in plain English
- Threat intelligence woven into every report
- Protocol-specific analysis for HTTP, WebSocket and gRPC
Premium
For growing platforms with significant API traffic.
$165 /mo
$138 /mo, billed annually
- Everything in Standard, plus:
- Higher analysis throughput for larger API surfaces
- Same detection depth applied to more traffic
- Priority email support
Talk to us
Higher throughput, on-premise, white-label, custom SLA.
Custom contact us
- Everything in Premium, plus:
- Higher analysis throughput for the largest API estates
- On-premise / air-gapped deployment
- White-label dashboard for managed service partners
- Custom SLA and dedicated onboarding
For context: the average Australian SME breach costs A$56,600. Cyron Lite costs less than 0.4% of one incident. — ACSC Annual Cyber Threat Report 2024-25
Need to test before subscribing? Start with the free plan Start free.
Designed to support compliance with
- GDPR EU data protection
- NIS2 EU network and information security
- PCI-DSS 4.0 Payment card data
- HIPAA-compatible US healthcare data handling
Frequently asked questions
Does Cyron replace my WAF?
No, and that is the point. A WAF sits inline and blocks requests by pattern matching at the network layer. It has no visibility into API payload intent, business-logic abuse, or behavioural anomalies. Cyron does not sit inline at all — the iris agent mirrors traffic at the kernel layer to a separate Cyron analysis engine, which understands what your API is actually doing. They protect different surfaces. Most Cyron customers run both.
Do my developers need to change any code?
Zero code changes. The iris eBPF agent is deployed as a Docker container that attaches at the Linux kernel layer. It mirrors API traffic out-of-band to the Cyron analysis engine — your live request path is never modified, so latency on legitimate traffic is unaffected. Your developers never import an SDK, modify a library, or restart a service. Average deployment time from pulling the image to live protection is under 10 minutes.
Where does my traffic data go? Who can see it?
iris mirrors a kernel-level copy of API traffic to the Cyron analysis engine, hosted in EU infrastructure. Cyron does not store raw payloads — the analysis engine extracts metadata and behavioural patterns and discards the bodies. Your live API traffic is never routed through Cyron, so even an outage on our side cannot affect your applications. For organisations with strict data residency requirements, on-premise deployment keeps all mirroring and analysis within your own infrastructure.
What is System 2 Thinking?
Standard security tools generate binary alerts: threat or not-threat. This produces false positives that developers learn to ignore. System 2 Thinking is Cyron's LLM-based forensic analysis layer. When Cyron flags ambiguous behaviour from the mirrored traffic stream, it runs a structured reasoning pass to determine what the request is actually trying to do. The output is a plain-English forensic report attached to every flagged event, explaining what was detected and why.
How does Cyron handle high traffic volumes?
iris mirrors traffic at the kernel layer rather than sitting inline, so Cyron adds zero latency to your live request path regardless of volume. The Cyron analysis engine processes the mirrored stream out-of-band; if the engine ever falls behind on bursts, your APIs continue serving requests at full speed because they were never gated by analysis. For specific throughput requirements, talk to us about capacity planning before deployment.
Does Cyron replace my WAF?
No, and that is the point. A WAF sits inline and blocks requests by pattern matching at the network layer. It has no visibility into API payload intent, business-logic abuse, or behavioural anomalies. Cyron does not sit inline at all — the iris agent mirrors traffic at the kernel layer to a separate Cyron analysis engine, which understands what your API is actually doing. They protect different surfaces. Most Cyron customers run both.
Do my developers need to change any code?
Zero code changes. The iris eBPF agent is deployed as a Docker container that attaches at the Linux kernel layer. It mirrors API traffic out-of-band to the Cyron analysis engine — your live request path is never modified, so latency on legitimate traffic is unaffected. Your developers never import an SDK, modify a library, or restart a service. Average deployment time from pulling the image to live protection is under 10 minutes.
Where does my traffic data go? Who can see it?
iris mirrors a kernel-level copy of API traffic to the Cyron analysis engine, hosted in EU infrastructure. Cyron does not store raw payloads — the analysis engine extracts metadata and behavioural patterns and discards the bodies. Your live API traffic is never routed through Cyron, so even an outage on our side cannot affect your applications. For organisations with strict data residency requirements, on-premise deployment keeps all mirroring and analysis within your own infrastructure.
What is System 2 Thinking?
Standard security tools generate binary alerts: threat or not-threat. This produces false positives that developers learn to ignore. System 2 Thinking is Cyron's LLM-based forensic analysis layer. When Cyron flags ambiguous behaviour from the mirrored traffic stream, it runs a structured reasoning pass to determine what the request is actually trying to do. The output is a plain-English forensic report attached to every flagged event, explaining what was detected and why.
How does Cyron handle high traffic volumes?
iris mirrors traffic at the kernel layer rather than sitting inline, so Cyron adds zero latency to your live request path regardless of volume. The Cyron analysis engine processes the mirrored stream out-of-band; if the engine ever falls behind on bursts, your APIs continue serving requests at full speed because they were never gated by analysis. For specific throughput requirements, talk to us about capacity planning before deployment.
Your APIs are running right now. Is anything watching them?
Start free — no credit card, no sales call, no code changes. iris deploys at the kernel via mirroring, so live API traffic is never delayed. Most teams have visibility in under 10 minutes.
Start protecting for freeFree plan, no credit card · 14-day full-platform trial available · EU data sovereignty on all plans · Cancel any time